Electronic signature application becomes effective in the EU
With its practically entire application, last July 1, of eIDAS Regulation concerning the electronic identification and trusted services in the EU a new setting started up for the digital signature/electronic signature.
Security, trust but also some points to be sorted out …
Regarding this matter, we wish to share the following report from Red Seguridad magazine with the help, besides other experts, of Jesús Rodríguez, REALSEC CEO.
We hope this report will enable and provide help as well as interest in order to know a little more about this matter and have a clearer view of the perspectives for the new eIDAS Regulation applied to the digital signature.
You can read the full report:
TWO YEARS AFTER ITS APPROVAL BY THE EUROPEAN UNION, FROM JULY 1, THE REGULATION (EU) 910/2014 ON ELECTRONIC SIGNATURE IS ALREADY PRACTICABLY APPLICABLE IN ITS ENTIRE SELF, WHICH THEREFORE PROVIDES ADVANTAGES TO BUSINESSES, CITIZENS AND ADMINISTRATIONS IN TERMS OF SECURITY AND CONFIDENCE; BUT IT ALSO GENERATES SOME OTHER CONTROVERSY
It was published on August 28, 2014 in the Official Journal of the European Union the Regulation (EU) nº 910/2014 of the European Parliament and the Council, July 23, 2014, concerning the electronic identification, and the trusted services for electronic transactions in the internal market, known as eIDAS Regulation, and by which it repealed the Guidelines 1999/93/EC. The aim of this legal text is “to reinforce confidence in electronic transactions in the internal market by providing a common basis for achieving secure electronic interactions between citizens, businesses and public administrations and increasing, as a result, the effectiveness of online public and private services, e-business and e-commerce in the Union”.
Therefore, a transitional adaptation period of two years was established, which ended last July 1. And so, being a regulation, its compliance overlaps with similar legislations that Member States would have. In addition, during this time, several standards of the European Telecommunications Standards Institute (ETSI) and of the European Committee for Standardization (CEN) have been made or modified, which define technical aspects derived from the eIDAS Regulation, and several legal documents that complement the text in form of Execution Decisions and Regulations have been published. At the same time, several modifications have been carried out within the national legislation of each Member State related to the electronic signatures and related services and electronic identification systems. However, they are still in the process of development, and therefore pending to be published, others like ETSI and CEN standards, as well as more legal documents that complement the eIDAS Regulation and new changes in the national legislation of each Member State.
Therefore, companies and Public Administrations in Europe, in general, and the Spanish one in particular, have had a couple of years to adjust to all this new regulation that is mandatory. In the case of Spain, this preparation, according to Jesús Rodríguez, Realsec CEO, “has been uneven” and “some have made very little effort or none whatsoever to get ready, while in others, it has been the other way round. In any case, everyone will have to adapt and meet the current and future technical and legal requirements from the eIDAS Regulation”, says the executive.
The Deputy General Director of Information Society Services of the Secretary for Telecommunications and the Information Society of the Ministry of Industry, Energy and Tourism, Gema María Campillos González, considered that, in the case of Public Administrations, “adaptation is complete”. “Since the Law 11/2007, of June 22, of electronic access of citizens to public services, time stamping for automated action, as well as electronic time stamping are being used,” she says. In addition, she confirms that “platforms updated as @signature for the recognition and admission of European electronic identities, as well as signatures and electronic stamps, have been presented promptly and in accordance with the Community requirements”, she exclaims.
Facundo Rojo, Vïntegris CEO, believes that the Administration, which already had been making a more intensive use of electronic signature systems, “is well prepared for the adoption of trust services of eIDAS Regulation, as well as companies that have been using these mechanisms to interact with the Administrations”, he confirms.
In any case, its application is already a reality, something which according to Jordi Buch, Marketing and Sales Director of Safelayer Secure Communications, “an updating of the legislation is completely necessary due to the fast evolution of technology”.
At this point, it is essential to stop and study the innovations that this Regulation brings within to understand it properly. Firstly, it is the first time that this legislation regulates the electronic identification systems as separate means from the traditional services of electronic signature.
According to Deputy General Director of Information Society Services, “they are regulated to facilitate secure telematic interaction with Public Administrations and its use for cross-border procedures”. The Regulation, therefore, establishes a framework for cross-border mutual recognition of electronic identity schemes that Member States notify to the Commission, if they have “substantial” or “high” security levels. For this, the security characteristics and levels that these schemes must comply have been defined, as well as the minimum set of data that may identify a person who requests access online to a public service unmistakably.
Luis Ojeda, director of business development of Always On, remarks, “now you can successfully carry out valid business and electronic transactions in the community territory: citizens can do business on a more convenient, fast and economical way, such as marriages abroad and tax returns”, he says. Furthermore, he adds, “companies can tender for public contracts anywhere in the EU, and can sign and stamp such offers, indicating date and time”. Even people who want to do business in another EU country can create societies and hand in annual reports.
Therefore, Pablo Corrales, lawyer in Abanlex, believes that “the fulfillment of eIDAS Regulation is very positive, since all of the electronic signature certificates issued by Member States of the European Union from now on will be validated, and that is a step forward towards the European integration”. In this way, he says, “you could access to electronic services that require this type of signature in a more dynamic and simple way, avoiding the huge obstacle of having to apply for an electronic signature in each Member State in which you want to make use of any of these services”.
Electronic identification management solutions
Companies that have voiced out their opinion in this report have some proposals in the field of electronic identity management. For example, Vintegris has developed vinCERT, for digital certificates management centralized; and nebulaSIGN, technology for signature and approval of documents in mobility. In addition, it has just launched nebulaCERT, “that is fully aligned with the new legal requirements”, in the words of Facundo Rojo, managing director.
Furthermore, Safelayer solutions also allow to manage the trust of various forms of electronic identification recognized by the new eIDAS Regulation. “We use the concept of level of trust (Assurance Level) that collects the eIDAS Regulation and that adopt other international regulations “, explains Jordi Buch, Marketing and sales Director of the company. And continues, “it allows to apply authentication technology and electronic signature suitable to the real risk level, thus adapting to a dynamic application environment, as it happens in practice.”
Moreover, Luis Ojeda, Business Development Director of Always On, ensures that their company provides to their customers “all the know-how necessary to manage digital certificates for companies from any environment, with the aim to avoid risks of identity impersonation and the fraudulent use of customers’ data, without the need to have their own infrastructure”.
Finally, Realsec has two solutions, CryptoSign Server, electronic signature platform for all kinds of documents; and Cryptosec Openkey TSA, system of authority of time stamping. According to Jesús Rodríguez Cabrero, CEO, “both are presented in appliance format with hardware, software, and HSM integrated.
Furthermore, Rodríguez Cabrero from Realsec, highlights that the “mutual recognition in the Member States of the means of electronic identification issued by the electronic identification systems, for the purpose of cross-border authentication in the online services provided by the public sector bodies will not be required until September 29, 2018.
Signatures and stamps
Secondly, the Regulation regulates new reliable qualified electronic services, other than the electronic signature, as the electronic stamp of a juridical person, validation of signatures and qualified stamps service, preservation of signatures and qualified stamps service, time stamping service, electronic delivery service, and web authentication service (typically, SSL certificates).
Facundo Rojo, General Director of Vintegris, states that one of the main advantages of the eIDAS Regulation is “the harmonization in the European Union of the security guarantees in the electronic transactions; and in particular of electronic signatures of individual, electronic stamps of legal persons and electronic time stamping”. And, as sources from AMETIC highlights, “now include more services than the issue of certificates of the physical person which were referred to in the previous European regulations”. And this has already had a direct consequence in Spain. “Electronic certificates of legal peson and entity without legal personality issued prior to July 1, 2016 may continue to be used until their expiry or revocation, but may not be renewed after that date,” argues Campillos, who insists: “Regarding to the duality between electronic signature and stamp, the Regulation clearly separates active subjects in each case, noting that individuals sign and legal persons stamp electronically, so the signing certificates of legal person and entity without legal personality are left without legal recognition”.
In replacement of the aforementioned, the legislative text provides two trust services that may be used by legal persons: the ” electronic certificate of electronic stamp”, that can be used, among others functions, for the issue of electronic invoices and the “natural person certificate representative of legal person”, which can be used as a suitable tool to interact with Public Administrations.
However, this fact is causing some controversy. For instance, and as it is being pointed out from AMETIC, “the recently passed Law 39/2015 of Administrative Procedure which will take effect in October 2016 still contemplates the signature certificates of a legal person and entity without a legal personality and of which are not possible in the Regulation framework”. And in addition, they added, “the signature policies of the State General Administration that will be published from July 2016, have not been adapted yet to the Regulation, since they cover aspects from Law 59/2003 for backwards compatibility”. Corrales, from Abanlex, believes that one of the most important changes of the eIDAS Regulation affects to classifications or types of electronic signature. “Since they are still being valid, old ratings collected by Law 59/2003 until their expiry, both new and old classifications are expected to co-exist, and this will enable the period of adaptation of enterprises and Administration greatly”.
AENOR publishes standards for secure electronic signature creation devices
The Spanish Association for Standardisation and Certification (AENOR) has adopted as Spanish standards, the series of European Standards about protection profiles for secure signature creation devices, known as UNE-EN 419211. The aim of these is to establish a system of trust in the electronic signature for the promotion of the digital economy in Europe through its use in transactions between consumers, businesses and Administrations.
Basically, these standards establish the minimum security requirements that different electronic signature creation devices must meet to be secure against major threats as, for example, electronic signature falsification, forgery of data to sign; or the storage, copy, and release of signature creation data, among other.
This family of Standards is made up of six parties dealing with the different types of secure signature creation devices that exist, specifies the functional and operational requirements, and the objects of evaluation for these device protection profiles. Thus, the conformity of devices for creating signatures and electronic stamps with these standards gives presumption of compliance with the requirements that determines the Regulation (EU) No. 910/2014 of the European Parliament and the Council, known as eIDAS.
However, the Deputy General Director of Information Society Services explains, “the need to properly manage a transitional period in which certificates that cease to have legal recognition remain in force can be quoted as a natural disadvantage of the changes introduced by the Regulation”.
Besides, the Regulation application reveals, according to several experts consulted, some other drawback. To Rodríguez Cabrero, Realsec, “the main disadvantage is the difficulty of compliance with all technical and legal requirements arising from the Regulation for existing and new systems that are implemented in the Member States.” Rojo, from Vintegris, cited “the possible existence of substantial differences in the performance of national supervisors, something that could harm Spanish companies against other companies established in States with a more flexible or lax supervision”.
Another important aspect, that it has also generated some controversy, is related to qualified electronic services providers. Rodríguez Cabero, Realsec, explains “they are natural or legal persons that provide one or more qualified trust services and the national supervisory authority has granted them such qualification”.
Basically, its functions are the creation, verification and validation of electronic signatures, electronic stamps or electronic time stamping, certified electronic delivery services and certificates related to these services; the creation, verification and validation of certificates for websites authentication; and the preservation of signatures, stamps or electronic certificates related to these services.
The gist is that the supervision regime of these entities becomes, for qualified services, a system of prior authorization instead of the communication established in the Directive of 1999. As Campillo explains, “a mixed system of public-private collaboration is set under the supervision of qualified providers, since its inclusion on the list of qualified electronic services providers (TSL), which allow to start the activity, should be based on a conformity assessment report, issued by an accredited conformity assessment body”.
Therefore, this means that a process is established for service providers who will issue qualified certificates, which must be sent a conformity assessment report to the Administration before 1 July 2017.
Qualified trust electronic services providers will be subject to a periodic biennial supervision
From then on, they will have to send the document every 24 months for their maintenance in the TSL. In this sense, Campillos remarks, “the National Organization of Accreditation (ENAC) is entitled to accredit the conformity assessment bodies who wish to pursue evaluations of trust electronic services providers”.
Obviously, that does not look as good as it should, as AMETIC recalls. The Association points out that “the certification service providers cannot apply for audits, because they are waiting for the audit entities to be defined, and standards are not yet defined for the new services”. In addition: “Only the certification services, whose audit standards are based on those defined for Directive 1999/93/EC, have a clear context”.
However, for AMETIC, this “is not a problem concerning the Spanish regulators solely. The European Union has not resolved many of these aspects either, although major milestones of supplementary guidelines publication to the Regulation have been fulfilled.”
It is worth highlighting a National Cryptologic Center initiative meant to define the rules of the audit systems for the management of certificates and signature on ICT cloud that can be used in Spain, although it would take time to issue the equivalent standards provided by the standardization bodies. According to AMETIC sources, “it’s a demand of the market which, fortunately, has had an early response by the CCN, which will improve the positioning of Spanish entities”.
Innovative services and conclusion
Finally, it is worth highlighting another great novelty of eIDAS Regulation. It broadens the possibility of innovative services based on mobile solutions and the cloud such as the remote electronic signature and stamp, in response to the evolution of technology and the demands of the market. In this mode, Campillo explains, “the service providers manage signature creation data of the signer or stamp holder, who is guaranteed with a high degree of confidence that will have exclusive control over their signature or seal creation data”.
Despite all that has been commented here, several of the experts consulted believe that there is still a long way to go. For example, Rojo from Vintegris, considers that “there is a long journey to achieve an extension of the use of these technologies, due to technological barriers that, fortunately, the eIDAS Regulation eliminates; in particular, cryptographic devices, such as cards, have meant a lower adoption of the qualified electronic signature”.
In this respect, Ojeda, from Always On, agrees that “a lot remains to be done, for example, the information about the revocation status or certificates validity issued must be already available, reliable, efficient, automated and free”. The manager also appealed to awareness so they put up security measures to prevent impersonation attacks, taking into account all the negative consequences that this generates.
In any case, as Buch explained, from Safelayer, eIDAS Regulation is “a strong step forward in improving confidence and convenience that will provide benefit to the organizations and citizens”. In addition, “it accepts new forms of identification and electronic signatures which the ‘social, mobility and cloud’ vectors of Internet impose, it also accompanies the improvement of the efficiency of the electronic processes of the organizations, and supports new business models that demand a simple and less costly use of identification systems to integrate”.
In conclusion, the Deputy General Director of Information Society Services, admits that the eIDAS Regulation is “a milestone for progress in key areas of the digital economy, by facilitating the cross-border use of public and private online services and e-commerce, through two important measures: the use of the means of electronic identification for cross-border access to online public services offered by any EU State and the generation of increased competition in the market of trusted services.”
Original source (in Spanish) : Red Seguridad Magazine